tournament 3.0.3 → 3.1.0

data/webgui/vendor/plugins/restful_authentication/README.textile

@@ -8,8 +8,8 @@ authentication:
 * Account approval / disabling by admin
 * Rudimentary hooks for authorization and access control.
 
-Several features were updated in May, 2008.  
-* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master 
+Several features were updated in May, 2008.
+* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master
 * "'Classic' (backward-compatible) version":http://github.com/technoweenie/restful-authentication/tree/classic
 * "Experimental version":http://github.com/technoweenie/restful-authentication/tree/modular (Much more modular, needs testing & review)
 
@@ -54,7 +54,7 @@ These best version of the release notes are in the notes/ directory in the
 "source code":http://github.com/technoweenie/restful-authentication/tree/master
 -- look there for the latest version.  The wiki versions are taken (manually)
 from there.
-  
+
 ***************************************************************************
 
 <a id="AWESOME"/> </a>
@@ -62,14 +62,14 @@ h2. Exciting new features
 
 h3. Stories
 
-There are now RSpec stories that allow expressive, enjoyable tests for the
+There are now "Cucumber":http://wiki.github.com/aslakhellesoy/cucumber/home features that allow expressive, enjoyable tests for the
 authentication code. The flexible code for resource testing in stories was
 extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/
 
 h3. Modularize to match security design patterns:
 
 * Authentication (currently: password, browser cookie token, HTTP basic)
-* Trust metric (email validation) 
+* Trust metric (email validation)
 * Authorization (stateful roles)
 * Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins
 
@@ -111,8 +111,8 @@ h2. Installation
 This is a basic restful authentication generator for rails, taken from
 acts as authenticated.  Currently it requires Rails 1.2.6 or above.
 
-**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name: 
-* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code> 
+**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name:
+* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code>
 * or rename the plugin's directory to be <code>restful_authentication</code> after fetching it.
 
 To use the generator:
@@ -140,19 +140,19 @@ To use the generator:
   activation code.  (@--stateful@ implies @--include-activation@). Based on the
   idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing
   @--skip-migration@ will skip the user migration, and @--skip-routes@ will skip
-  resource generation -- both useful if you've already run this generator. 
+  resource generation -- both useful if you've already run this generator.
   (Needs the "acts_as_state_machine plugin":http://elitists.textdriven.com/svn/plugins/acts_as_state_machine/,
   but new installs should probably run with @--aasm@ instead.)
 
 * --aasm: Works the same as stateful but uses the "updated aasm gem":http://github.com/rubyist/aasm/tree/master
-  
+
 * --rspec: Generate RSpec tests and Stories in place of standard rails tests.
   This requires the
     "RSpec and Rspec-on-rails plugins":http://rspec.info/
   (make sure you "./script/generate rspec" after installing RSpec.)  The rspec
   and story suite are much more thorough than the rails tests, and changes are
   unlikely to be backported.
-  
+
 * --old-passwords: Use the older password scheme (see [[#COMPATIBILITY]], above)
 
 * --skip-migration: Don't generate a migration file for this model
@@ -169,30 +169,30 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@
 
 * Add these familiar login URLs to your @config/routes.rb@ if you like:
 
-    <pre><code> 
-    map.signup  '/signup', :controller => 'users',   :action => 'new' 
+    <pre><code>
+    map.signup  '/signup', :controller => 'users',   :action => 'new'
     map.login  '/login',  :controller => 'session', :action => 'new'
-    map.logout '/logout', :controller => 'session', :action => 'destroy' 
+    map.logout '/logout', :controller => 'session', :action => 'destroy'
     </code></pre>
 
 * With @--include-activation@, also add to your @config/routes.rb@:
 
-    <pre><code> 
-    map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil 
-    </code></pre> 
+    <pre><code>
+    map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil
+    </code></pre>
 
   and add an observer to @config/environment.rb@:
-  
-    <pre><code> 
+
+    <pre><code>
     config.active_record.observers = :user_observer
-    </code></pre> 
+    </code></pre>
 
   Pay attention, may be this is not an issue for everybody, but if you should
   have problems, that the sent activation_code does match with that in the
   database stored, reload your user object before sending its data through email
   something like:
 
-    <pre><code> 
+    <pre><code>
     class UserObserver < ActiveRecord::Observer
       def after_create(user)
         user.reload
@@ -207,16 +207,16 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@
 
 
 * With @--stateful@, add an observer to config/environment.rb:
-  
-    <pre><code> 
+
+    <pre><code>
     config.active_record.observers = :user_observer
     </code></pre>
-    
+
   and modify the users resource line to read
-  
+
     map.resources :users, :member => { :suspend   => :put,
                                        :unsuspend => :put,
-                                       :purge     => :delete } 
+                                       :purge     => :delete }
 
 * If you use a public repository for your code (such as github, rubyforge,
   gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/authenticated_generator.rb

@@ -103,8 +103,8 @@ class AuthenticatedGenerator < Rails::Generator::NamedBase
         m.directory File.join('spec/models', class_path)
         m.directory File.join('spec/helpers', model_controller_class_path)
         m.directory File.join('spec/fixtures', class_path)
-        m.directory File.join('stories', model_controller_file_path)
-        m.directory File.join('stories', 'steps')
+        m.directory 'features'
+        m.directory File.join('features', 'step_definitions')
       else
         m.directory File.join('test/functional', controller_class_path)
         m.directory File.join('test/functional', model_controller_class_path)
@@ -174,23 +174,23 @@ class AuthenticatedGenerator < Rails::Generator::NamedBase
                                class_path,
                               "#{table_name}.yml")
 
-        # RSpec Stories
-        m.template  'stories/steps/ra_navigation_steps.rb',
-         File.join('stories/steps/ra_navigation_steps.rb')
-        m.template  'stories/steps/ra_response_steps.rb',
-         File.join('stories/steps/ra_response_steps.rb')
-        m.template  'stories/steps/ra_resource_steps.rb',
-         File.join('stories/steps/ra_resource_steps.rb')
-        m.template  'stories/steps/user_steps.rb',
-         File.join('stories/steps/', "#{file_name}_steps.rb")
-        m.template  'stories/users/accounts.story',
-         File.join('stories', model_controller_file_path, 'accounts.story')
-        m.template  'stories/users/sessions.story',
-         File.join('stories', model_controller_file_path, 'sessions.story')
-        m.template  'stories/rest_auth_stories_helper.rb',
-         File.join('stories', 'rest_auth_stories_helper.rb')
-        m.template  'stories/rest_auth_stories.rb',
-         File.join('stories', 'rest_auth_stories.rb')
+        # Cucumber features
+        m.template  'features/step_definitions/ra_navigation_steps.rb',
+         File.join('features/step_definitions/ra_navigation_steps.rb')
+        m.template  'features/step_definitions/ra_response_steps.rb',
+         File.join('features/step_definitions/ra_response_steps.rb')
+        m.template  'features/step_definitions/ra_resource_steps.rb',
+         File.join('features/step_definitions/ra_resource_steps.rb')
+        m.template  'features/step_definitions/user_steps.rb',
+         File.join('features/step_definitions/', "#{file_name}_steps.rb")
+        m.template  'features/accounts.feature',
+         File.join('features', 'accounts.feature')
+        m.template  'features/sessions.feature',
+         File.join('features', 'sessions.feature')
+        m.template  'features/step_definitions/rest_auth_features_helper.rb',
+         File.join('features', 'step_definitions', 'rest_auth_features_helper.rb')
+        m.template  'features/step_definitions/ra_env.rb',
+         File.join('features', 'step_definitions', 'ra_env.rb')
 
       else
         m.template 'test/functional_test.rb',

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/templates/authenticated_test_helper.rb

@@ -1,7 +1,7 @@
 module AuthenticatedTestHelper
   # Sets the current <%= file_name %> in the session from the <%= file_name %> fixtures.
   def login_as(<%= file_name %>)
-    @request.session[:<%= file_name %>_id] = <%= file_name %> ? <%= table_name %>(<%= file_name %>).id : nil
+    @request.session[:<%= file_name %>_id] = <%= file_name %> ? (<%= file_name %>.is_a?(<%= file_name.camelize %>) ? <%= file_name %>.id : <%= table_name %>(<%= file_name %>).id) : nil
   end
 
   def authorize_as(<%= file_name %>)

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/templates/features/accounts.feature

@@ -0,0 +1,109 @@
+Visitors should be in control of creating an account and of proving their
+essential humanity/accountability or whatever it is people think the
+id-validation does.  We should be fairly skeptical about this process, as the
+identity+trust chain starts here.
+
+Story: Creating an account
+  As an anonymous user
+  I want to be able to create an account
+  So that I can be one of the cool kids
+
+  #
+  # Account Creation: Get entry form
+  #
+  Scenario: Anonymous user can start creating an account
+    Given an anonymous user
+    When  she goes to /signup
+    Then  she should be at the 'users/new' page
+     And  the page should look AWESOME
+     And  she should see a <form> containing a textfield: Login, textfield: Email, password: Password, password: 'Confirm Password', submit: 'Sign up'
+
+  #
+  # Account Creation
+  #
+  Scenario: Anonymous user can create an account
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account as the preloaded 'Oona'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Thanks for signing up!'
+     And  a user with login: 'oona' should exist
+     And  the user should have login: 'oona', and email: 'unactivated@example.com'
+
+     And  oona should be logged in
+
+
+  #
+  # Account Creation Failure: Account exists
+  #
+
+
+  Scenario: Anonymous user can not create an account replacing an activated account
+    Given an anonymous user
+     And  an activated user named 'Reggie'
+     And  we try hard to remember the user's updated_at, and created_at
+    When  she registers an account with login: 'reggie', password: 'monkey', and email: 'reggie@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Login has already been taken'
+     And  she should not see an errorExplanation message 'Email has already been taken'
+     And  a user with login: 'reggie' should exist
+     And  the user should have email: 'registered@example.com'
+
+     And  the user's created_at should stay the same under to_s
+     And  the user's updated_at should stay the same under to_s
+     And  she should not be logged in
+
+  #
+  # Account Creation Failure: Incomplete input
+  #
+  Scenario: Anonymous user can not create an account with incomplete or incorrect input
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: '',     password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Login can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with no password
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: '',       password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with no password_confirmation
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: ''       and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password confirmation can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with mismatched password & password_confirmation
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkeY' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password doesn't match confirmation'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with bad email
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: ''
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Email can't be blank'
+     And  no user with login: 'oona' should exist
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Thanks for signing up!'
+     And  a user with login: 'oona' should exist
+     And  the user should have login: 'oona', and email: 'unactivated@example.com'
+
+     And  oona should be logged in
+
+
+

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/templates/{stories/users/sessions.story → features/sessions.feature}

@@ -3,37 +3,37 @@ only to visitors who present the appropriate credentials.  Everyone wants this
 identity verification to be as secure and convenient as possible.
 
 Story: Logging in
-  As an anonymous <%= file_name %> with an account
+  As an anonymous user with an account
   I want to log in to my account
   So that I can be myself
 
   #
   # Log in: get form
   #
-  Scenario: Anonymous <%= file_name %> can get a login form.
-    Given an anonymous <%= file_name %>
+  Scenario: Anonymous user can get a login form.
+    Given an anonymous user
     When  she goes to /login
-    Then  she should be at the new <%= controller_file_name %> page
+    Then  she should be at the new sessions page
      And  the page should look AWESOME
      And  she should see a <form> containing a textfield: Login, password: Password, and submit: 'Log in'
   
   #
   # Log in successfully, but don't remember me
   #
-  Scenario: Anonymous <%= file_name %> can log in
-    Given an anonymous <%= file_name %>
-     And  an activated <%= file_name %> named 'reggie'
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'monkey', remember me: ''
+  Scenario: Anonymous user can log in
+    Given an anonymous user
+     And  an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: ''
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'Logged in successfully'
      And  reggie should be logged in
      And  she should not have an auth_token cookie
    
-  Scenario: Logged-in <%= file_name %> who logs in should be the new one
-    Given an activated <%= file_name %> named 'reggie'
-     And  an activated <%= file_name %> logged in as 'oona'
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'monkey', remember me: ''
+  Scenario: Logged-in user who logs in should be the new one
+    Given an activated user named 'reggie'
+     And  an activated user logged in as 'oona'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: ''
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'Logged in successfully'
@@ -43,92 +43,92 @@ Story: Logging in
   #
   # Log in successfully, remember me
   #
-  Scenario: Anonymous <%= file_name %> can log in and be remembered
-    Given an anonymous <%= file_name %>
-     And  an activated <%= file_name %> named 'reggie'
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'monkey', remember me: '1'
+  Scenario: Anonymous user can log in and be remembered
+    Given an anonymous user
+     And  an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: '1'
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'Logged in successfully'
      And  reggie should be logged in
      And  she should have an auth_token cookie
 	      # assumes fixtures were run sometime
-     And  her session store should have <%= file_name %>_id: 4
+     And  her session store should have user_id: 4
    
   #
   # Log in unsuccessfully
   #
   
-  Scenario: Logged-in <%= file_name %> who fails logs in should be logged out
-    Given an activated <%= file_name %> named 'oona'
-    When  she creates a singular <%= controller_file_name %> with login: 'oona', password: '1234oona', remember me: '1'
+  Scenario: Logged-in user who fails logs in should be logged out
+    Given an activated user named 'oona'
+    When  she creates a singular sessions with login: 'oona', password: '1234oona', remember me: '1'
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'Logged in successfully'
      And  oona should be logged in
      And  she should have an auth_token cookie
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'i_haxxor_joo'
-    Then  she should be at the new <%= controller_file_name %> page
+    When  she creates a singular sessions with login: 'reggie', password: 'i_haxxor_joo'
+    Then  she should be at the new sessions page
     Then  she should see an error message 'Couldn't log you in as 'reggie''
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
+     And  her session store should not have user_id
   
   Scenario: Log-in with bogus info should fail until it doesn't
-    Given an activated <%= file_name %> named 'reggie'
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'i_haxxor_joo'
-    Then  she should be at the new <%= controller_file_name %> page
+    Given an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'i_haxxor_joo'
+    Then  she should be at the new sessions page
     Then  she should see an error message 'Couldn't log you in as 'reggie''
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: ''
-    Then  she should be at the new <%= controller_file_name %> page
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'reggie', password: ''
+    Then  she should be at the new sessions page
     Then  she should see an error message 'Couldn't log you in as 'reggie''
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
-    When  she creates a singular <%= controller_file_name %> with login: '', password: 'monkey'
-    Then  she should be at the new <%= controller_file_name %> page
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: '', password: 'monkey'
+    Then  she should be at the new sessions page
     Then  she should see an error message 'Couldn't log you in as '''
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
-    When  she creates a singular <%= controller_file_name %> with login: 'leonard_shelby', password: 'monkey'
-    Then  she should be at the new <%= controller_file_name %> page
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'leonard_shelby', password: 'monkey'
+    Then  she should be at the new sessions page
     Then  she should see an error message 'Couldn't log you in as 'leonard_shelby''
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
-    When  she creates a singular <%= controller_file_name %> with login: 'reggie', password: 'monkey', remember me: '1'
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: '1'
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'Logged in successfully'
      And  reggie should be logged in
      And  she should have an auth_token cookie
 	      # assumes fixtures were run sometime
-     And  her session store should have <%= file_name %>_id: 4
+     And  her session store should have user_id: 4
 
 
   #
   # Log out successfully (should always succeed)
   #
-  Scenario: Anonymous (logged out) <%= file_name %> can log out.
-    Given an anonymous <%= file_name %>
+  Scenario: Anonymous (logged out) user can log out.
+    Given an anonymous user
     When  she goes to /logout
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'You have been logged out'
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
+     And  her session store should not have user_id
 
-  Scenario: Logged in <%= file_name %> can log out.
-    Given an activated <%= file_name %> logged in as 'reggie'
+  Scenario: Logged in user can log out.
+    Given an activated user logged in as 'reggie'
     When  she goes to /logout
     Then  she should be redirected to the home page
     When  she follows that redirect!
     Then  she should see a notice message 'You have been logged out'
      And  she should not be logged in
      And  she should not have an auth_token cookie
-     And  her session store should not have <%= file_name %>_id
+     And  her session store should not have user_id

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/templates/features/step_definitions/ra_env.rb

@@ -0,0 +1,9 @@
+
+Before do
+  Fixtures.reset_cache
+  fixtures_folder = File.join(RAILS_ROOT, 'spec', 'fixtures')
+  Fixtures.create_fixtures(fixtures_folder, "users")
+end
+
+# Make visible for testing
+ApplicationController.send(:public, :logged_in?, :current_user, :authorized?)

data/webgui/vendor/plugins/restful_authentication/generators/authenticated/templates/features/step_definitions/ra_navigation_steps.rb

@@ -0,0 +1,48 @@
+#
+# Where to go
+#
+
+#
+# GET
+# Go to a given page.
+When "$actor goes to $path" do |actor, path|
+  case path
+  when 'the home page' then get '/'
+  else                      get path
+  end
+end
+
+# POST -- Ex:
+#   When she creates a book with ISBN: '0967539854' and comment: 'I love this book' and rating: '4'
+#   When she creates a singular session with login: 'reggie' and password: 'i_haxxor_joo'
+# Since I'm not smart enough to do it right, explicitly specify singular resources
+When /^(\w+) creates an? ([\w ]+) with ([\w: \',]+)$/ do |actor, resource, attributes|
+  attributes = attributes.to_hash_from_story
+  if resource =~ %r{singular ([\w/]+)}
+    resource = $1.downcase.singularize
+    post "/#{resource}", attributes
+  else
+    post "/#{resource.downcase.pluralize}", { resource.downcase.singularize => attributes }
+  end
+end
+
+# PUT
+When %r{$actor asks to update '$resource' with $attributes} do |_, resource, attributes|
+  attributes = attributes.to_hash_from_story
+  put "#{resource}", attributes
+  dump_response
+end
+
+# DELETE -- Slap together the POST-form-as-fake-HTTP-DELETE submission
+When %r{$actor asks to delete '$resource'} do |_, resource|
+  post "/#{resource.downcase.pluralize}", { :_method => :delete }
+  dump_response
+end
+
+
+# Redirect --
+#   Rather than coding in get/get_via_redirect's and past/p_v_r's,
+#   let's just demand that in the story itself.
+When "$actor follows that redirect!" do |actor|
+  follow_redirect!
+end